CLEAN HARBORS INC 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

CLEAN HARBORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 11:39:04 EST.

Filings

10-K filed on 2024-02-21

CLEAN HARBORS INC filed an 10-K at 2024-02-21 11:39:04 EST
Accession Number: 0000822818-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Clean Harbors recognizes the critical importance of developing, implementing and maintaining cybersecurity measures to safeguard our information technology. The Company has integrated cybersecurity risk management into our overall risk management framework to collectively assess and respond to operational, financial and cybersecurity risks. Board of Director Oversight The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board, led by the Executive Chairman Alan McKim, who is also the Chief Technology Officer of the Company, has primary oversight responsibilities for cybersecurity risks and therefore has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats. During 2023, the Board of Directors established a special subcommittee with the goal of reviewing the Company’s overall cybersecurity risk and response landscape. The special Cybersecurity subcommittee is comprised of board members with diverse expertise including risk management, technology and finance, with two members holding Cybersecurity Oversight Certificates issued by the National Association of Corporate Directors and Carnegie Mellon University. The Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”) provide comprehensive briefings throughout the year to both the Cybersecurity subcommittee, which meets quarterly, and to the Board of Directors as well. The briefings include the current landscape of cybersecurity risks and emerging threats, relevant Company infrastructure and tools employed to address these risk and threats, status of ongoing initiatives, incident reports and learnings and compliance with regulatory requirements and industry standards. Management’s Oversight and Responsibilities Reporting to the CIO, Cybersecurity at Clean Harbors is managed by the Chief Information Security Officer who is a Certified Informational Systems Security Professional. The CISO leads the Clean Harbors’ cybersecurity response program based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework providing a collaborative, balanced risk based approach to securing and defending the Company. The CISO leverages both open source and private threat intelligence sources to remain current about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CISO implements and oversees processes and technologies for regular monitoring of our information systems. Third party cybersecurity advisory services are employed to consult on, monitor, respond and/or assess our IT landscape and cybersecurity response. The CISO is also responsible for the ongoing cybersecurity awareness, training and education of the employees of Clean Harbors and any other parties that may interact with the Company’s information technology systems. Awareness activities include cybersecurity training, simulated exercises, cross functional tabletop exercises and internal communication updates. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan which has been communicated to the IT and operational organization. This plan includes immediate actions to mitigate the impact, solutions to enable the restoration of business critical technology and long-term strategies for remediation and prevention of future incidents. Risks from Cybersecurity Threats The Company has not encountered cybersecurity challenges that have materially impacted our operations or financial results. The Company has included the relevant potential risks from cybersecurity threats as part of the Company’s Risk Factors in Item 1A herein. 25 Table Of Contents

Company Information